From 6a5e61b1f7809ad4352aed77b3342ca68cfd8262 Mon Sep 17 00:00:00 2001
From: Charles Moulliard <cmoulliard@redhat.com>
Date: Wed, 26 Jun 2024 09:17:44 +0200
Subject: [PATCH] Bump the versions of the operators (#164)

* Bump the versions of the operators for: Tekton, GitOps & ArgoCD. Review instructions

Signed-off-by: cmoulliard <cmoulliard@redhat.com>

* Remove pipelineRun as resource to be excluded

Signed-off-by: cmoulliard <cmoulliard@redhat.com>

* Add RBAC for the backstage SA used to access the kubernetes resources

Signed-off-by: cmoulliard <cmoulliard@redhat.com>

---------

Signed-off-by: cmoulliard <cmoulliard@redhat.com>
---
 README.md                                     |  71 ++++----
 .../gitops/{argocd.tmpl => argocd.yml}        | 168 +++++++++---------
 manifest/installation/gitops/rbac.yml         |  12 ++
 .../gitops/subscription-gitops.yml            |   2 +-
 .../tekton/subscription-pipelines.yml         |   2 +-
 .../subscription-kubevirt-hyperconverged.yml  |   2 +-
 6 files changed, 133 insertions(+), 124 deletions(-)
 rename manifest/installation/gitops/{argocd.tmpl => argocd.yml} (94%)
 create mode 100644 manifest/installation/gitops/rbac.yml

diff --git a/README.md b/README.md
index e474b28..4f6d1c9 100644
--- a/README.md
+++ b/README.md
@@ -19,12 +19,12 @@ The backstage QShift application has been designed to showcase QShift (Quarkus o
 | Backstage plugin                                                                                                                                                                                                                                          | Backend system                                   | 
 |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|
 | [Core - 1.27.x](https://github.com/backstage/versions/blob/main/v1/releases/1.23.4/manifest.json)                                                                                                                                                         | GitHub                                           |
-| [Kubernetes](https://backstage.io/docs/features/kubernetes/)                                                                                                                                                                                              | OpenShift 4.14                                   |
-| [Quarkus front & backend](https://github.com/q-shift/backstage-plugins)                                                                                                                                                                                   | code.quarkus.io, OpenShift Virtualization 4.14.3 |
-| [Quarkus Console](https://github.com/q-shift/backstage-plugins?tab=readme-ov-file#quarkus-console)                                                                                                                                                        | OpenShift 4.14                                   |
-| ArgoCD [front](https://github.com/RoadieHQ/roadie-backstage-plugins/tree/main/plugins/frontend/backstage-plugin-argo-cd) & [backend](https://github.com/RoadieHQ/roadie-backstage-plugins/tree/main/plugins/scaffolder-actions/scaffolder-backend-argocd) | OpenShift GitOps 1.11.1                          |
-| [Tekton](https://github.com/janus-idp/backstage-plugins/tree/main/plugins/tekton)                                                                                                                                                                         | OpenShift Pipelines 1.13.1                       |
-| [Topology](https://github.com/janus-idp/backstage-plugins/tree/main/plugins/topology)                                                                                                                                                                     | OpenShift 4.14                                   |
+| [Kubernetes](https://backstage.io/docs/features/kubernetes/)                                                                                                                                                                                              | OpenShift 4.15                                   |
+| [Quarkus front & backend](https://github.com/q-shift/backstage-plugins)                                                                                                                                                                                   | code.quarkus.io, OpenShift Virtualization 4.15.2 |
+| [Quarkus Console](https://github.com/q-shift/backstage-plugins?tab=readme-ov-file#quarkus-console)                                                                                                                                                        | OpenShift 4.15                                   |
+| ArgoCD [front](https://github.com/RoadieHQ/roadie-backstage-plugins/tree/main/plugins/frontend/backstage-plugin-argo-cd) & [backend](https://github.com/RoadieHQ/roadie-backstage-plugins/tree/main/plugins/scaffolder-actions/scaffolder-backend-argocd) | OpenShift GitOps 1.12.3                          |
+| [Tekton](https://github.com/janus-idp/backstage-plugins/tree/main/plugins/tekton)                                                                                                                                                                         | OpenShift Pipelines 1.15.0                       |
+| [Topology](https://github.com/janus-idp/backstage-plugins/tree/main/plugins/topology)                                                                                                                                                                     | OpenShift 4.15                                   |
 | [DevTools](https://github.com/backstage/backstage/blob/master/plugins/devtools/README.md)                                                                                                                                                                 |                                                  |
 
 **Note**: This backstage application is based on the backstage's version: 1.27.x
@@ -32,7 +32,7 @@ The backstage QShift application has been designed to showcase QShift (Quarkus o
 ## Prerequisites
 
 - [nvm](https://github.com/nvm-sh/nvm)
-- [Node.js](https://nodejs.org/en) (18 or 20.x but not 22 as it fails on macOS as node-gyp fails to build: isolated-vm)
+- [Node.js](https://nodejs.org/en) (20.x but not 22 as it fails on macOS as node-gyp fails to build: isolated-vm)
 - [Yarn](https://yarnpkg.com/migration/guide). It is mandatory to migrate from yarn 1.x to 4.x and to enable `corepack enable` !
 - [GitHub client](https://cli.github.com/) (optional)
 - [argocd client](https://argo-cd.readthedocs.io/en/stable/getting_started/#2-download-argo-cd-cli) (optional)
@@ -41,7 +41,7 @@ The backstage QShift application has been designed to showcase QShift (Quarkus o
 
 ## Provision an ocp cluster
 
-The following section details the different commands to be used to deploy the backend systems needed by QShift on a new OCP cluster (e.g. 4.14.10)
+The following section details the different commands to be used to deploy the backend systems needed by QShift on a new OCP cluster (e.g. 4.15.x)
 
 #### Kubevirt
 
@@ -75,21 +75,17 @@ kubectl apply -f subscription-gitops.yml
 
 To use ArgoCD with QShift, it is needed to delete the existing `ArgoCD` CR and to deploy our `ArgoCD` CR.
 
-**Note**: Our CR includes different changes needed to work with QShift: `sourceNamespaces`, `extraConfig` and `tls.termination: reencrypt` and `resourceExclusions`
+**Note**: Our CR includes different changes needed to work with QShift:
+- `extraConfig: resource.customizations.health.PersistentVolumeClaim` to avoid that ArgoCD watch the PVC resources
+- `tls.termination: reencrypt` to allow to access the ArgoCD route
 
-**Todo**: The previous note should be documented to explain the changes needed !
-
-```bash
-kubectl delete argocd/openshift-gitops -n openshift-gitops
-```
-Substitute within the `ArgoCD` CR the <MY_NAMESPACE> to be used using this command
 ```bash
-cat argocd.tmpl | NAMESPACE=<MY_NAMESPACE> envsubst > argocd.yml
+kubectl delete argocd/argocd -n openshift-gitops
 kubectl apply -f argocd.yml
 ```
-**Todo**: Instead of deleting and recreating a new ArgoCD CR, we should patch it or install it using kustomize, helm chart. Example: https://github.com/redhat-cop/agnosticd/blob/development/ansible/roles_ocp_workloads/ocp4_workload_openshift_gitops/templates/openshift-gitops.yaml.j2
+**Todo**: Instead of deleting and recreating a new ArgoCD CR, we should patch it or install it using kustomize. Example: https://github.com/redhat-cop/agnosticd/blob/development/ansible/roles_ocp_workloads/ocp4_workload_openshift_gitops/templates/openshift-gitops.yaml.j2
 
-Patch the `AppProject` CR to support to deploy the `Applications` CR in [different namespaces](https://github.com/q-shift/backstage-playground/issues/39#issuecomment-1938403564).
+Patch the default `AppProject` CR to support to deploy the `Applications` CR in [different namespaces](https://github.com/q-shift/backstage-playground/issues/39#issuecomment-1938403564).
 ```bash
 kubectl get AppProject/default -n openshift-gitops -o json | jq '.spec.sourceNamespaces += ["*"]' | kubectl apply -f -
 ```
@@ -97,20 +93,7 @@ kubectl get AppProject/default -n openshift-gitops -o json | jq '.spec.sourceNam
 Finally, create a new ClusterRoleBinding to give the `Admin` role to the ServiceAccount `openshift-gitops-argocd-application-controller`. That will allow it to manage the `Applications` CR deployed in any namespace of the cluster.
 
 ```bash
-cat << EOF | kubectl apply -f -
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: argocd-controller-admin
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: admin
-subjects:
-- kind: ServiceAccount
-  name: openshift-gitops-argocd-application-controller
-  namespace: openshift-gitops
-EOF
+kubectl apply -f rbac.yml
 ```
 
 #### Tekton
@@ -174,14 +157,29 @@ The commands described hereafter will help you to set up what it is needed:
   ```bash
   kubectl create secret generic dockerconfig-secret --from-file=config.json
   ```
-- **Warning**: To let ArgoCD to handle the `Applications` CR within your namespace, it is needed to patch the resource `kind: ArgoCD` to add your namespace using the field: `.spec.sourceNamespaces`. When patched, the ArgoCD operator will roll out automatically the ArgoCD server.
+- **Warning**: To allow Argo CD to manage resources in [other namespaces](https://docs.openshift.com/gitops/1.12/argocd_instance/setting-up-argocd-instance.html#gitops-deploy-resources-different-namespaces_setting-up-argocd-instance) apart from where it is installed, configure the target namespace with a `argocd.argoproj.io/managed-by` label.
   ```bash
-  kubectl get argocd/openshift-gitops -n openshift-gitops -o json \
-    | jq '.spec.sourceNamespaces += ["<MY_NAMESPACE>"]' | kubectl apply -f -
+  kubectl label namespace <MY_NAMESPACE> \
+      argocd.argoproj.io/managed-by=<argocd_namespace> 
   ```
-- And finally, create the service account `my-backstage`. 
+- And finally, create the service account `my-backstage` and give it `admin` rights using the following RBAC to access the Kubernetes API resources. 
   ```bash
   kubectl create sa my-backstage
+  NAMESPACE=<MY_NAMESPACE>
+cat <<EOF | kubectl apply -f -
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backstage-$NAMESPACE-cluster-access
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: my-backstage
+  namespace: $NAMESPACE
+EOF
   ```
   **Note**: This is needed to create the SA in order to get the secret generated and containing the token that we will use at the step `Deploy and use Backstage on OCP`
 
@@ -254,6 +252,7 @@ Next run the following commands to start the front and backend using the `app-co
 
 ```sh
 yarn install
+export NODE_TLS_REJECT_UNAUTHORIZED=0
 yarn dev
 ```
 
diff --git a/manifest/installation/gitops/argocd.tmpl b/manifest/installation/gitops/argocd.yml
similarity index 94%
rename from manifest/installation/gitops/argocd.tmpl
rename to manifest/installation/gitops/argocd.yml
index ab6b9fd..143b236 100644
--- a/manifest/installation/gitops/argocd.tmpl
+++ b/manifest/installation/gitops/argocd.yml
@@ -1,69 +1,13 @@
 apiVersion: argoproj.io/v1beta1
 kind: ArgoCD
 metadata:
-  name: openshift-gitops
+  name: argocd
   namespace: openshift-gitops
 spec:
-  server:
-    autoscale:
-      enabled: false
-    grpc:
-      ingress:
-        enabled: false
-    ingress:
-      enabled: false
-    resources:
-      limits:
-        cpu: 500m
-        memory: 256Mi
-      requests:
-        cpu: 125m
-        memory: 128Mi
-    route:
-      enabled: true
-      tls:
-        termination: reencrypt
-    service:
-      type: ''
-  grafana:
-    enabled: false
-    ingress:
-      enabled: false
-    resources:
-      limits:
-        cpu: 500m
-        memory: 256Mi
-      requests:
-        cpu: 250m
-        memory: 128Mi
-    route:
-      enabled: false
-  monitoring:
-    enabled: false
-  notifications:
-    enabled: true
-  prometheus:
-    enabled: false
-    ingress:
-      enabled: false
-    route:
-      enabled: false
-  initialSSHKnownHosts: {}
-  sso:
-    dex:
-      openShiftOAuth: true
-      resources:
-        limits:
-          cpu: 500m
-          memory: 256Mi
-        requests:
-          cpu: 250m
-          memory: 128Mi
-    provider: dex
   applicationSet:
     resources:
       limits:
-        cpu: '2'
+        cpu: "2"
         memory: 1Gi
       requests:
         cpu: 250m
@@ -73,12 +17,16 @@ spec:
         enabled: false
       route:
         enabled: false
-  rbac:
-    defaultPolicy: ''
-    policy: |
-      g, system:cluster-admins, role:admin
-      g, cluster-admins, role:admin
-    scopes: '[groups]'
+  controller:
+    processors: {}
+    resources:
+      limits:
+        cpu: "2"
+        memory: 2Gi
+      requests:
+        cpu: 250m
+        memory: 1Gi
+    sharding: {}
   extraConfig:
     resource.customizations.health.PersistentVolumeClaim: |
       hs = {}
@@ -99,23 +47,19 @@ spec:
       hs.status = "Progressing"
       hs.message = "Waiting for PVC"
       return hs
-  repo:
+  grafana:
+    enabled: false
+    ingress:
+      enabled: false
     resources:
       limits:
-        cpu: '1'
-        memory: 1Gi
+        cpu: 500m
+        memory: 256Mi
       requests:
         cpu: 250m
-        memory: 256Mi
-  sourceNamespaces:
-    - $NAMESPACE
-  resourceExclusions: |
-    - apiGroups:
-      - tekton.dev
-      clusters:
-      - '*'
-      kinds:
-      - TaskRun
+        memory: 128Mi
+    route:
+      enabled: false
   ha:
     enabled: false
     resources:
@@ -125,8 +69,23 @@ spec:
       requests:
         cpu: 250m
         memory: 128Mi
-  tls:
-    ca: {}
+  initialSSHKnownHosts: {}
+  monitoring:
+    enabled: false
+  notifications:
+    enabled: true
+  prometheus:
+    enabled: false
+    ingress:
+      enabled: false
+    route:
+      enabled: false
+  rbac:
+    defaultPolicy: ""
+    policy: |
+      g, system:cluster-admins, role:admin
+      g, cluster-admins, role:admin
+    scopes: '[groups]'
   redis:
     resources:
       limits:
@@ -135,13 +94,52 @@ spec:
       requests:
         cpu: 250m
         memory: 128Mi
-  controller:
-    processors: {}
+  repo:
     resources:
       limits:
-        cpu: '2'
-        memory: 2Gi
+        cpu: "1"
+        memory: 1Gi
       requests:
         cpu: 250m
-        memory: 1Gi
-    sharding: {}
+        memory: 256Mi
+  resourceExclusions: |
+    - apiGroups:
+      - tekton.dev
+      clusters:
+      - '*'
+      kinds:
+      - TaskRun
+  server:
+    autoscale:
+      enabled: false
+    grpc:
+      ingress:
+        enabled: false
+    ingress:
+      enabled: false
+    resources:
+      limits:
+        cpu: 500m
+        memory: 256Mi
+      requests:
+        cpu: 125m
+        memory: 128Mi
+    route:
+      enabled: true
+      tls:
+        termination: reencrypt
+    service:
+      type: ""
+  sso:
+    dex:
+      openShiftOAuth: true
+      resources:
+        limits:
+          cpu: 500m
+          memory: 256Mi
+        requests:
+          cpu: 250m
+          memory: 128Mi
+    provider: dex
+  tls:
+    ca: {}
diff --git a/manifest/installation/gitops/rbac.yml b/manifest/installation/gitops/rbac.yml
new file mode 100644
index 0000000..a84c94d
--- /dev/null
+++ b/manifest/installation/gitops/rbac.yml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argocd-controller-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admin
+subjects:
+- kind: ServiceAccount
+  name: openshift-gitops-argocd-application-controller
+  namespace: openshift-gitops
\ No newline at end of file
diff --git a/manifest/installation/gitops/subscription-gitops.yml b/manifest/installation/gitops/subscription-gitops.yml
index 6eeb5b1..04f4d9e 100644
--- a/manifest/installation/gitops/subscription-gitops.yml
+++ b/manifest/installation/gitops/subscription-gitops.yml
@@ -11,4 +11,4 @@ spec:
   name: openshift-gitops-operator
   source: redhat-operators
   sourceNamespace: openshift-marketplace
-  startingCSV: openshift-gitops-operator.v1.11.1
+  startingCSV: openshift-gitops-operator.v1.12.3
diff --git a/manifest/installation/tekton/subscription-pipelines.yml b/manifest/installation/tekton/subscription-pipelines.yml
index 200d14e..eda4f82 100644
--- a/manifest/installation/tekton/subscription-pipelines.yml
+++ b/manifest/installation/tekton/subscription-pipelines.yml
@@ -11,4 +11,4 @@ spec:
   name: openshift-pipelines-operator-rh
   source: redhat-operators
   sourceNamespace: openshift-marketplace
-  startingCSV: openshift-pipelines-operator-rh.v1.13.1
+  startingCSV: openshift-pipelines-operator-rh.v1.15.0
diff --git a/manifest/installation/virt/subscription-kubevirt-hyperconverged.yml b/manifest/installation/virt/subscription-kubevirt-hyperconverged.yml
index 300f3eb..436793a 100644
--- a/manifest/installation/virt/subscription-kubevirt-hyperconverged.yml
+++ b/manifest/installation/virt/subscription-kubevirt-hyperconverged.yml
@@ -11,4 +11,4 @@ spec:
   name: kubevirt-hyperconverged
   source: redhat-operators
   sourceNamespace: openshift-marketplace
-  startingCSV: kubevirt-hyperconverged-operator.v4.14.3
+  startingCSV: kubevirt-hyperconverged-operator.v4.15.2